If I read an article, or look at a picture or drawing of something illegal, say - how to make drugs in my kitchen - does it leave any image on my computer if I don’t download it
It may not have the actual image/drawing/text, but will almost certainly
have traces/evidence in the form of ip addresses/urls of visited pages
and maybe cookies/temporary files/thumbnails etc.
(Unless you’re very, very careful …)
In what way, careful?
Well … you could always use ‘incognito’ mode on your browser to
stop it saving cookies and delete your browsing history after.
And run something like CCleaner after.
IANA cyber security expert and that may not prevent the FBI from finding
stuff but may prevent the casual snooper from finding anything incriminating !
Even if you avoid/delete all traces on your computer, your internet provider will have logs of the urls you visited.
I’m curious about how much detail these logs would have.
I’m sure GiantInternetMonopoly could show I was at boards.straightdope.com.
But would they have a record of boards.straightdope.com/computer-forensics/985147/4 ?
I try to mask a lot of my browsing, merely to avoid creepy advertising, but I’ve always wondered exactly what detail the provider is logging. I heard somewhere that secure sites (like this one with the little lock symbol) mask everything after the slash “/”. Any truth to that?
Sorry, I also have no clue. I even used to work for a small internet provider, but I was in software development and had no access to the client database and logs.
Not an expert on forensics either, but… and I haven’t really kept up on this stuff.
As I understand, the data back and foth from a website nowadays is typically HTTPS, the “S” meaning secure (encrypted) so unlikely anyone (other than the NSA?) would be able to read it as it went by.
However, the request for websites starts with DNS. You send a request to a DNS server to tell you the IP address of “boards.straightdope.com” and it replies with an IP address. Usually, that comes from your local provider who now has a record of that if they choose to track you. Then you open a connection and send a packet to that address, saying I want “http://boards.straightdope.com/computer-forensics/985147/4”. That should be encrypted, so your local provider can’t see the details there, just the destimnation IP. (Considering some IP addresses host multiple domain names, somewhat ambiguous too)
There’s a push to switch to encrypted DNS servers, but the pushback is that you’d be using one of a limited number of some big tech’s DNS - so Google is tracking you instead of Verizon. (Unless you’re browsing from a phone, in which case you have less control)
You can also use a VPN, where all your internet traffic is encrypted between you and the VPN’s exit point onto the internet. All your traffic appears to come from their attach point(s) IP addresses. Most VPN providers promise for privacy reasons that they do not track or log what you are doing through their service. Because the traffic is encrypted, all your local provider can tell is - you are sending encrypted traffic to the VPN’s entry address.
Every web page you visit, you download the contents - text, pictures, active content, HTML code etc. In the early days of modems, it was good to download and store this, so next visit you did not have to wait to download again. (and there are flags to say what changed, needs re-download) Plus, there’s cookies to store things like your prefernences on that website, your shopping cart, or a unique ID to track who you are. There are dozens of ways to customize websites and follow a person through multiple visits.
Nowadays, If you use incognito, this stuff is not stored, nor is your history, once you close that browsing session. However, no guarantee the content is wiped. Computers are lazy, no need to overwrite obsolete data, just mark the area of memory/disk as “ready to reuse”. Hence the recommendation for CCleaner.
And of course, as the details of how the internet tubes work keeps changing, and how Windows or Android or iOS or browsers work - all thse details keep changing too. What worked last year may be different today.
So as an experiment, I opened Wireshark and then launched a browser and navigated to this page.
I saw the packets going to two different domain name servers with the responses, both returning this:
boards.straightdope.com: type CNAME, class IN, cname straightdope.hosted-by-discourse.com
Then there was new TCP connection (SYN, SYN/ACK, ACK) with the 'Dope.
Then a TLS “Client Hello” packet that contains this string boards.straightdope.com but no details of what page on the site is being accessed.
After that, everything is encrypted.
I did a search for the word “forensics” in the packet capture and it wasn’t found.
For casual users, it does appear that the details of the HTTP request are not accessible to your ISP.
No guarantees regarding real computer forensics folks digging into your machine, it’s all but certain that they would know where you have been since even deleted temporary files leave an imprint on your hard drive that can be found later with the correct techniques.
Let’s start at the very beginning: If you looked at something on the Web, then you downloaded it. There’s no way to look at something on your computer without downloading it.
Ordinarily, your web browser just downloads things to a temporary folder called the cache. Eventually, when it feels like it (generally, when it needs the room for something else), it’ll automatically delete the stuff from the cache, but unless you make an effort, you won’t know when that’ll be.
If you specifically go in and clean out your cache, or use your browser’s Private Mode (which, among other things, generally clears out that part of the cache when the session ends), then we can get into all of the more advanced things that everyone else is talking about. But if you weren’t paying attention to anything and saw some web site within the past week, chances are very good that the entire page you were looking there is sitting right there completely intact on your computer.
Well, every machine that is on line has an IP address that is the computer equivalent of a street and number address. Even if you use a browser in private mode, that still holds true so, when you access a site, you can be traced. The reality is that, unless the feds are trolling a site or unless they are interested in YOU for some reason, no one is really going to notice a simple search of that nature.
Browser cache is a big place where that sort of thing gets stored. Like @Chronos points out, it may have what amounts to the entire page stored there.
There are all sorts of caches in your computer that temporarily store things so that it doesn’t have to go back to the internet for things - DNS caches, ARP caches, and so forth. Potentially all of these could have something stored that points back to your incriminating website or article.
The thing is, professional forensics packages go through every byte on the hard drive- deleted or not, and catalog everything they find. It’s really, really hard to clear evidence of something that you already did. It’s somewhat less difficult to actually prevent it being logged in the first place, but still a pain.
The good news is that computer forensics isn’t cheap. Back when I did it (e-discovery & forensic data mining, not encase/FTk type stuff) back in 2005-2008, I was billed out at $350/hr, and I was the lowest priced person we had. Most of our guys were more specialized and experienced, and billed out at $450 or so. That was over 15 years ago; I can only imagine they bill quite a bit more now.
So nobody’s going to subpoena your PC and go combing it with a fine tooth comb unless it’s needed in a relatively high dollar civil court case, or you’re suspected of doing something very bad by the criminal justice side of htings.
Just for fun, try entering “kind:=video” (note, colon-equal, not just equal sign) in the Search Quick Access box in an explorer window. Many types of video encountered or played from a webpage may be there (I think it depends on your level of secure browsing).
It should also be pointed out that “deleting” just marks the directory entries as no longer in use and puts those disk sectors back on the free list. Nothing is actually removed from the disk. All of the data is still there, it’s just that the indexes to the data are no longer valid. Since the sectors are back on the free list, the computer may overwrite them at some point, but exactly if and when they’ll get overwritten isn’t guaranteed.
The flip side of this is, even if you read up extensively on all the things you can do to cover your tracks, do you really think that, even after all of that reading, you know more of the tricks than the guys who get paid $450 per hour? If someone really wants to get at your browsing history, the pros will probably be able to find some clues, no matter how much effort you put into it.
Especially since some of the clues will be in places that you have no control over, like your ISP’s records.
@Chronos did a good job on the stuff at the user’s end on their PC / tablet / phone. Various folks have tried to tackle what happens along the way and at the other end(s). I’ll try to summarize that at a high level for a non-technical audience.
Encryption along the way prevents eavesdroppers from observing and tracking the two-way conversation between server(s) and client(s). Which is nice and all, but isn’t the whole story. Even encryption is (probably) transparent to NSA and other countries’ equivalent agencies for traffic within their borders.
But that’s not the real problem in achieving internet anonymity.
In order to send you content, the server with the content has to know exactly what to send and where to send it. Whether that’s a picture, a script, some text, an ad, music, whatever. And the content provider can, in principle, log the fact that at time X their server Y transmitted content Z to a remote computer at address Q.
Most servers are configured to log most of that. How long they keep those logs, and how accessible they are to law enforcement / spy agencies / advertisers / criminals is totally unknowable by you.
With enough effort you can make it hard, bordering on impossible, for them to connect you the user and your physical phone / tablet / PC to the address Q some server sent some blob of content to. But generally speaking, absent aggressive efforts on your part, the connection from Q to your device to you is totally transparent to anyone with the tools and intent to look. Which can be as benign as advertisers wanting to serve you “better” ads, or as sinister as the CIA plotting to frame you for child porn because Reasons.
And you don’t just have to worry about what is on your own computer, remember not only that they have basic data like users’ names, addresses and contact information, tech companies like Google, Apple, Microsoft and Facebook also often have access to the contents of their users’ emails, text messages, call logs, photos, videos, documents, contact lists and calendars.
No, not really. I only mentioned the most basic, fundamental thing on the user’s device. I didn’t even mention cookies, browser history, or DNS cache, for instance.
The encryption used in most web browsers is probably opaque to everyone, including the NSA. Which just means, as you say, that instead of going through the encryption, you just go around it, since often all you’re interested in is who’s talking to whom, not the content of the data.
IMO you hit the essential point for a non-techie audience:
Everything you see and a lot you don’t is downloaded and can be retrieved from your PC later by a motivated snoop. Cleaning up the most obvious parts of your tracks accomplishes very little. Doing a really complete cleanup job locally is simply beyond the scope of a non-professional.
Yeah, to clear that stuff you’ve got to run one of those utilities that will deliberately overwrite every bit of free space with something.
Once you’ve done that, you’ve effectively destroyed it. Not only is it not in the MFT, but any residual data has been overwritten. I imagine maybe there’s some kind of magic the CIA might be able to do to get that back, but in commercial and law enforcement forensics, that stuff is gone for good.